Brexit Withdrawal Agreement – Data Protection Update

Although it may be rejected amid the political maelstrom raging around Brexit, there are some key aspects of the draft EU-UK Withdrawal Agreement which concern data protection.

What’s encouraging, is that there appears to be a clear drive towards a position in which personal data can continue to flow seamlessly between the UK and the EU.

Building on our Brexit, GDPR and data protection, article published in September, below is a brief data protection focused summary of what’s contained in the draft Withdrawal Agreement and its accompanying, Outline of the Political Declaration document. The UK Prime Minister has explained that the draft agreement relates to the terms by which the UK will leave the EU and the Outline is a forward-looking document describing briefly the relationship and mechanisms between the UK and the EU post Brexit. Mrs May has stressed she will work with her European counterparts to provide more detail on the forward-looking aspect.

Building on our Brexit, GDPR and data protection, article published in September, below is a brief data protection focused summary of what’s contained in the draft Withdrawal Agreement and its accompanying, Outline of the Political Declaration document. The UK Prime Minister has explained that the draft agreement relates to the terms by which the UK will leave the EU and the Outline is a forward-looking document describing briefly the relationship and mechanisms between the UK and the EU post Brexit. Mrs May has stressed she will work with her European counterparts to provide more detail on the forward-looking aspect.

What is the Draft EU-UK Withdrawal Agreement?

The draft agreement stretches to a weighty 185 Articles over 585 pages and sets out the arrangements for the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union. Of particular relevance to data protection practitioners is Section VII, ‘Data and information processed or obtained before the end of the transition period, or on the basis of this agreement’. Within this, articles 70 to 74 relate to, Union law on the protection of personal data i.e. the GDPR and the European Directive governing electronic communications, which in the UK give us the Privacy and Electronic Regulations (PECR).

So, what’s new?

There’s a fear that in a post-Brexit world the current free flow of personal data within the EU would no longer exist and UK organisations could be left grappling with strict data transfer rules. A significant point in the draft agreement is that some flexibility is proposed around the deadline for agreeing a mechanism for data flows between the UK and the EU, post Brexit. The UK hopes to be awarded what is termed an adequacy decision, whereby the EU would recognise UK data protection standards to be on a par with those of the EU.

Also, even though it seems likely that the UK Information Commissioner will lose her seat on the European Data Protection Board (EDPB), after the UK leaves the EU, there is a stated intention to maintain, ‘appropriate cooperation between regulators’in the forward-looking Outline of Political Declaration. Again, this perhaps provides some comfort that the UK may not be completely left out in the cold. However, indications are that the Adequacy Plus scenario that was being sought at the start of UK-EU negotiations, whereby the UK Commissioner would keep her place on the EDPB, will not be achieved.

The Implementation Period (aka The Transition Period)

The draft Withdrawal Agreement sets out that EU law (including data protection law) will continue to apply to the UK after 29th March 2019 until a treaty governing the future relationship between the EU and the UK comes into force. This post Brexit period is being termed either the implementation period or the transition period. What’s changed is that the draft agreement says that the transition period can be extended beyond the end of 2020, if agreement between the parties has not been reached by this time. This is a politically contentious point (as is everything with Brexit!), but it has been argued this is an improved position because previously the UK could have faced what’s been referred to as a “cliff edge” scenario after 31 December 2020. How much flexibility there is to the timescale has not been made clear.

So what does the future hold?

The draft agreement does not describe a precise mechanism for how data will be transferred. It does however say that EU citizens’ data processed in the UK before and after the end of the transition period will be processed in line with EU data protection law. It also says that member states will continue to process data on UK citizens in line with the EU laws. So, the status quo could continue at least until the end of 2020 and perhaps beyond.

To sum up

There are some positives that can be taken from this draft agreement in terms of data protection and it may be reassuring for many organisations that the “cliff edge” scenario could be averted. The withdrawal agreement, if passed by the UK Parliament, would mean the current free flow of personal data remains until at least the end of 2020 and potentially for an undefined period thereafter.